GM Pays for Driver Data Sales

WHAT TELEMATICS ACTUALLY CAPTURES

Modern cars stream hundreds of signals over cellular modems: GPS coordinates every few seconds, hard-braking events, acceleration curves, seatbelt status, even steering inputs. The vehicle is no longer a product the buyer owns outright — it is a sensor platform with a SIM card.

THE LEXISNEXIS PIPELINE

GM, Honda, Hyundai, and others routed driving data through LexisNexis Risk Solutions and Verisk — the same data brokers that compile insurance risk reports. Insurers then quoted higher premiums to drivers flagged for hard braking, without the drivers knowing their car had been the source.

WHY CALIFORNIA, NOT WASHINGTON

The US has no federal data privacy law. The CCPA (2018, expanded by CPRA in 2020) gives California residents rights to know, delete, and opt out of sale of personal data — and gives the state Attorney General authority to fine violators. Without it, this enforcement action would not exist.

THE EU CONTRAST

Under the GDPR, this arrangement would have been illegal from day one — selling location and behavioral data without explicit, granular, revocable consent triggers fines up to 4% of global revenue. For GM, that ceiling would be roughly $7 billion, not $12 million.

THE THIRD-PARTY DOCTRINE

US Fourth Amendment law since Smith v. Maryland (1979) holds that information voluntarily shared with a third party — phone company, bank, automaker — loses constitutional protection. Your car's location pings to GM's servers are, under current doctrine, not yours to protect.

THE ENFORCEMENT GAP

$12 million is roughly four hours of GM's 2024 revenue. The fine's deterrent value is symbolic, not financial. Real privacy enforcement in the US comes from class action settlements (the Illinois BIPA biometric law has produced billion-dollar payouts) — not regulatory penalties.